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hi@localhost:~$ whoami 

avi 



hi@localhost: echo I AM NOT A LAWYER 

I AM NOT A LAWYER 



Background && History 

of NSLs 



National Security 
Letter (NSL) 


An administrative subpoena issued to bypass 
the judicial system, "used to obtain 
information from companies as part of 
national security investigations" (EFF) 



What can be requested? 


Non-content information. 

Name, address, transaction records (date, 
time, length of calls), length of service 



So? 


The FBI, through NSLs, issue broad requests 
for information on targets including 
''communities of interest" that enables them 
to request information to expand mass 
surveillance and data collection on targets 
twice, or even further removed from the 
original target 



1978 


First provisional NSL created under Right 
To Financial Privacy Act (RFPA) as part of 
the Financial Institutions Regulatory And 
Interest Rate Control Act of 1978 


1986 

1993 


RFPA amended 

Electronic Communications Privacy Act 
(ECPA) passed by Congress allowing FBI to 
issue NSLs (U.S.C. Section 2709 of Title 
18) 

An amendment removed the restriction of 
requiring their target to be a foreign 
power or an agent of a foreign power 



2000 


8500 NSLs were issued 


2001 


October 26, President George W. Bush signed 
the USA PATRIOT Act of 2001 into law, in 
section 505, loosening the standards for 
issuing NSLs 


56,507 NSLs were issued, each accompanied 
by a categorical and permanent gag order 
April 24, Doe v. Ashcroft filed by ACLU on 
behalf of an ISP owner 


2004 



2004 

2005 


September, Doe v. Ashcroft, Judge Victor 
Marrero struck down Section 2709 in the USA 
PATRIOT Act along with the associated gag 
provision 

Congress amended Section 2709 of Title 18 
of the US Code in the USA PATRIOT 
Improvement and Reauthorisation Act of 2005 
Allowed for limited judicial review of 
an NSL by a judge only if the recipient 
files for a legal challenge against the 
NSL 



ACLU and NYCLU successfully argued Congress 
had not addressed all of the deficiencies 
in amended Section 2709, Judge Victor 
Marrero agreed and struck down the 
provision 

US Court of Appeals for the Second Circuit 
affirmed most of the District Court's 
decision 


FBI partially lifted the gag order in 
originally Doe v. Ashcroft, Nicholas 
Merrill of Calyx Internet Access finally 
revealed 



2013 


2014 


President Barack Obama's Intelligence Review 
Group reported average ~60 NSLs issued daily 
February, Cloudflare served NSL-12-358696, 
EFF takes case 

July, FBI rescinds NSL and withdraws request 
for information. 

Ken Carter of Cloudflare meets with a key 
Capitol Hill staffer who dismissed concerns 


2017 


With the gag order removed, Cloudflare 
finally reveals in their transparency 
report they had received an NSL in 2013. 



Background && History 
of Warrant Canaries 



Canaries in 
coal mines 


1911-1986 


What is a warrant 
canary? 


An untested legal theory where providers 
(traditionally) state publicly they have not 
received a NSL 


2006 


rsync.net, 
begin publ 


the first commercial provider to 
ishing a warrant canary 


2016 


Reddit removes their warrant canary (first 
published in their 2014 transparency report) 
in their 2015 transparency report 


Interest overtime 


100 


50 


Jan 1,2006 


A A aa 


^ A ^- 

Nov 1,2009 


± <> <c 



Warrant canary search history 
(Google, 17 January 2019) 










Warrant Canary 
Proj ects 



Canary Watch 


Launched in March 2015 by a coalition of 
various groups as a site for tracking warrant 
canaries 


Discontinued in May 2016 



Macaron Canary 


Create generic warrant canary examples 
specifying provider's risk information; 
Overall timeline of NSLs, warrant canaries; 
Profiles of existing providers with warrant 
canaries categorised by type and based off of 
web scraping and user input to create warrant 
canary statuses: N/A, stable, lean stable, 
lean unstable, unstable) 



Warrant Canary 
Criticism 



Schneier on Security 




Newsletter Books Essays News Talks 




I have long discounted warrant canaries. A gag order is serious, and this sort of high-school trick 
won't fool judges for a minute. But so far they seem to be working. 


Now we have another question: now what? We have one piece of information, but not a very useful 
one. We know that NSLs can affect anywhere from a single user to millions of users. Which kind was 
this? We have no idea. Is Reddit fighting? We have no idea. How long will this go on? We don't know 
that, either. When I think about what we can do to be useful here, I can't think of anything. 
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They might be illegal; 

Not clear if it's possible for the government 
to legally require companies to lie about 
requests; 

Minor events (e.g. delay of updating) and 
lack of information may lead to it being 
misinterpreted and cause unnecessary fear; 
Companies could purposely lie about requests 
or employee(s) responsible may be unaware 
about request(s); 

Lots of varying formats! 



Or it's okay to not 
have a warrant canary! 


...if you don't collect unnecessary and 

sensitive user data 



Options and What 
People, Companies, and 
Organisations Can Do 


The future I'd love to see though 

I'm Not A Lawyer 



Everyone should have a warrant canary available 
easily that is specific to their specific risks 
of compromise in a transparency report in a 
standardised way that is archived; 

Don't collect data that isn't relevant to a 
product for consumers; 

Sell products at a higher cost without selling 
out and/or collecting user data; 

If you receive a NSL+gag order challenge the 
legality of it; 


This is the future I'd love to see very much 

and I'm Still Not A Lawyer 



Anyone that has any type of database/collection 
of user data and information should limit the 
type of data collected to reduce the exposure 
of second, third, and further parties removed 
from the target of a NSL 


This is still the future I'd love to see very 

much and I'm Still Not A Lawyer 



The work being done to challenge NSLs+gag 
orders by many such as the EFF, ACLU, NYCLU, 
take up a lot of their resources due to very 
lengthy fights so donate to support their 
efforts to protect our privacy; 

Petition and speak with members of Congress to 
reform the laws surrounding NSLs+gag orders 


This is still the future I'd like to see very 

very much and I'm Still Not A Lawyer 



Thank you! 



Avi Zajac @ 11 


